OpenStack Crash Course

# Install OpenStack CLI client
pip install python-openstackclient

# Check version
openstack --version

Lesson 2: OpenStack Architecture

Core Services Overview

OpenStack is composed of multiple services that work together to provide a complete cloud infrastructure. Each service has a code name and serves a specific purpose.

Nova (Compute Service)

Nova is the primary computing engine of OpenStack. It manages the lifecycle of compute instances, handling spawning, scheduling, and decommissioning of virtual machines.

# List available compute services
openstack compute service list

# View hypervisor statistics
openstack hypervisor stats show

Key Components:

• nova-api: Accepts and responds to API calls
• nova-scheduler: Determines which compute host to run instances on
• nova-compute: Manages the hypervisor and creates/terminates instances
• nova-conductor: Mediates database access

Neutron (Networking Service)

Neutron provides "networking as a service" between interface devices managed by other OpenStack services. It enables complex network topologies and IP address management.

# List networks
openstack network list

# Show network details
openstack network show <network-name>

Features:

• Virtual networks, subnets, and routers
• Security groups and firewall rules
• Load balancing as a service (LBaaS)
• VPN as a service (VPNaaS)

Cinder (Block Storage Service)

Cinder provides persistent block storage to running instances. These volumes persist independent of instance lifetime and can be attached to running instances.

# Create a volume
openstack volume create --size 10 my-volume

# List volumes
openstack volume list

Glance (Image Service)

Glance provides discovery, registration, and delivery services for disk and server images. It allows users to copy server images and use them as templates for new instances.

# List available images
openstack image list

# Create an image from file
openstack image create "Ubuntu-20.04" \
  --file ubuntu-20.04.qcow2 \
  --disk-format qcow2 \
  --container-format bare \
  --public

Keystone (Identity Service)

Keystone provides authentication and authorization for all OpenStack services. It's the first service a user interacts with and manages users, projects, roles, and service catalog.

# List users
openstack user list

# List projects
openstack project list

# List roles
openstack role list

Swift (Object Storage Service)

Swift is a highly available, distributed, eventually consistent object storage system. It's ideal for storing unstructured data like documents, images, and backups.

# List containers
openstack container list

# Upload an object
openstack object create my-container file.txt

Horizon (Dashboard Service)

Horizon provides a web-based user interface to access and manage OpenStack services. It's built on Django and provides both administrator and user-facing portals.

Service Communication

OpenStack services communicate through:

• REST APIs: HTTP-based communication
• Message Queue (RabbitMQ/AMQP): Asynchronous messaging
• Database (MySQL/MariaDB): State storage

Lesson 3: Identity and Authentication

Understanding Keystone

Keystone is the identity service for OpenStack. It provides a central directory of users, groups, projects (tenants), roles, and services. Every interaction with OpenStack must first authenticate through Keystone.

Core Concepts

1. Users

A user represents an individual or service that interacts with OpenStack. Each user has credentials (password, API key, etc.) for authentication.

# Create a new user
openstack user create john \
  --password secure_password \
  --email john@example.com

# List all users
openstack user list

# Show user details
openstack user show john

2. Projects (Tenants)

Projects are containers that group and isolate resources. A project might represent a department, application, or customer in a multi-tenant environment.

# Create a project
openstack project create development \
  --description "Development Team Project"

# List projects
openstack project list

# Show project details
openstack project show development

3. Roles

Roles define what actions a user can perform. Common roles include admin, member, and reader. Roles are assigned to users within the context of a specific project.

# List available roles
openstack role list

# Assign a role to a user in a project
openstack role add --project development --user john member

# List user's role assignments
openstack role assignment list --user john

4. Domains

Domains are high-level containers for projects, users, and groups. They provide administrative boundaries and namespace isolation.

# Create a domain
openstack domain create company-domain \
  --description "Company Domain"

# List domains
openstack domain list

# Create a project within a domain
openstack project create engineering \
  --domain company-domain

Authentication and Tokens

When you authenticate with OpenStack, Keystone issues a token that serves as temporary credentials. Tokens have a limited lifetime (typically 1 hour) and must be renewed.

Token Types

• UUID Tokens: Simple random UUID, requires server-side validation
• Fernet Tokens: Lightweight, encrypted, no persistence required (recommended)
• JWT Tokens: JSON Web Tokens for federation scenarios

# Authenticate and get a token (done automatically by CLI)
# View your token
openstack token issue

# The output shows:
# - Token ID
# - Expiration time
# - Project scope
# - User information

Service Catalog

Keystone maintains a service catalog that lists all available OpenStack services and their API endpoints. This allows clients to discover service locations dynamically.

# View service catalog
openstack catalog list

# Show endpoint details for a service
openstack endpoint list --service nova

Authentication Workflow

A typical authentication workflow:

1. User provides credentials (username, password, project)
2. Keystone validates credentials against the identity backend
3. Keystone generates a token and returns it with service catalog
4. User includes token in subsequent API requests
5. Services validate token with Keystone before processing requests

Environment Variables

For convenience, authentication credentials are typically stored in environment variables or an RC file:

# Source your OpenStack credentials
export OS_AUTH_URL=http://controller:5000/v3
export OS_PROJECT_NAME=development
export OS_USERNAME=john
export OS_PASSWORD=secure_password
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_IDENTITY_API_VERSION=3

# Or source from a file
source admin-openrc.sh

Policy and Authorization

Each OpenStack service has a policy.json (or policy.yaml) file that defines fine-grained access control rules. These policies check the user's role before allowing operations.

# Example policy rule (in policy.json)
# "compute:create": "rule:admin_or_owner"
# This means only admins or resource owners can create instances

Lesson 4: Compute Service (Nova)

Launching Your First Instance

Nova is the heart of OpenStack's compute capabilities. Let's walk through launching and managing instances step by step.

Understanding Flavors

A flavor defines the compute, memory, and storage capacity of an instance. Think of it as a "size" or "configuration template" for your VM.

# List available flavors
openstack flavor list

# Show detailed flavor information
openstack flavor show m1.small

# Create a custom flavor
openstack flavor create m1.custom \
  --ram 2048 \
  --disk 20 \
  --vcpus 2 \
  --public

Common flavor properties:

• VCPUs: Number of virtual CPU cores
• RAM: Memory in MB
• Disk: Root disk size in GB
• Ephemeral: Additional ephemeral disk (optional)
• Swap: Swap space in MB (optional)

Working with Images

Images are templates used to create instances. OpenStack supports various image formats including QCOW2, RAW, VDI, and VMDK.

# List available images
openstack image list

# Download an image (example: Ubuntu Cloud Image)
wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img

# Upload image to Glance
openstack image create "Ubuntu-20.04-LTS" \
  --file focal-server-cloudimg-amd64.img \
  --disk-format qcow2 \
  --container-format bare \
  --public

# Show image details
openstack image show Ubuntu-20.04-LTS

Keypairs for SSH Access

Keypairs provide secure SSH access to instances. You can either import an existing key or generate a new one.

# Create a new keypair (OpenStack generates it)
openstack keypair create my-key > my-key.pem
chmod 600 my-key.pem

# Import an existing public key
openstack keypair create --public-key ~/.ssh/id_rsa.pub my-existing-key

# List keypairs
openstack keypair list

# Show keypair details
openstack keypair show my-key

Security Groups

Security groups act as virtual firewalls, controlling inbound and outbound traffic to instances.

# List security groups
openstack security group list

# Create a new security group
openstack security group create web-servers \
  --description "Security group for web servers"

# Add rules to allow HTTP and HTTPS
openstack security group rule create web-servers \
  --protocol tcp \
  --dst-port 80 \
  --remote-ip 0.0.0.0/0

openstack security group rule create web-servers \
  --protocol tcp \
  --dst-port 443 \
  --remote-ip 0.0.0.0/0

# Allow SSH access
openstack security group rule create web-servers \
  --protocol tcp \
  --dst-port 22 \
  --remote-ip 0.0.0.0/0

# List rules in a security group
openstack security group rule list web-servers

Launching an Instance

Now that we have all the components, let's launch an instance!

# Basic instance launch
openstack server create \
  --flavor m1.small \
  --image Ubuntu-20.04-LTS \
  --key-name my-key \
  --security-group web-servers \
  --network private-network \
  my-web-server

# Launch with a specific availability zone
openstack server create \
  --flavor m1.medium \
  --image Ubuntu-20.04-LTS \
  --key-name my-key \
  --security-group default \
  --network private-network \
  --availability-zone nova:compute-node-1 \
  my-instance

# List instances
openstack server list

# Show instance details
openstack server show my-web-server

# Check instance console log
openstack console log show my-web-server

Managing Instances

Once an instance is running, you can perform various management operations:

# Stop an instance (graceful shutdown)
openstack server stop my-web-server

# Start a stopped instance
openstack server start my-web-server

# Reboot an instance
openstack server reboot my-web-server
openstack server reboot --hard my-web-server  # force reboot

# Pause an instance (stores state in memory)
openstack server pause my-web-server
openstack server unpause my-web-server

# Suspend an instance (stores state to disk)
openstack server suspend my-web-server
openstack server resume my-web-server

# Resize an instance (change flavor)
openstack server resize my-web-server --flavor m1.medium
openstack server resize confirm my-web-server  # or revert

# Delete an instance
openstack server delete my-web-server

Accessing Instances

There are several ways to access your instances:

# Get console URL (for VNC access)
openstack console url show my-web-server

# SSH into an instance (if it has a floating IP)
ssh -i my-key.pem ubuntu@floating-ip-address

# Access instance metadata from within the instance
curl http://169.254.169.254/latest/meta-data/

# Launch instance with user data
openstack server create \
  --flavor m1.small \
  --image Ubuntu-20.04-LTS \
  --key-name my-key \
  --user-data userdata.txt \
  my-custom-server

# Example userdata.txt content:
#!/bin/bash
apt-get update
apt-get install -y nginx
systemctl start nginx

Lesson 5: Storage Services

Understanding OpenStack Storage

OpenStack provides three types of storage, each designed for different use cases:

• Ephemeral Storage: Temporary storage tied to instance lifecycle
• Block Storage (Cinder): Persistent volumes that can be attached to instances
• Object Storage (Swift): Scalable storage for unstructured data

Cinder: Block Storage

Cinder provides persistent block-level storage that can be attached to Nova instances. Volumes persist independently of instances and can be detached and reattached to different instances.

Creating and Managing Volumes

# Create a volume
openstack volume create \
  --size 10 \
  --description "Database volume" \
  db-volume

# Create a volume from an image
openstack volume create \
  --size 20 \
  --image Ubuntu-20.04-LTS \
  bootable-volume

# List volumes
openstack volume list

# Show volume details
openstack volume show db-volume

# Extend a volume (increase size)
openstack volume set --size 20 db-volume

Attaching Volumes to Instances

# Attach a volume to an instance
openstack server add volume my-web-server db-volume

# List volume attachments
openstack volume list --long

# Detach a volume
openstack server remove volume my-web-server db-volume

# Mount the volume inside the instance (run on the instance)
# First, find the device name
lsblk
# Then create filesystem and mount
sudo mkfs.ext4 /dev/vdb
sudo mkdir /mnt/data
sudo mount /dev/vdb /mnt/data

# Make mount persistent (add to /etc/fstab)
echo '/dev/vdb /mnt/data ext4 defaults 0 0' | sudo tee -a /etc/fstab

Volume Snapshots and Backups

Snapshots create point-in-time copies of volumes, while backups are stored in a separate backend (often Swift).

# Create a snapshot
openstack volume snapshot create \
  --volume db-volume \
  --description "Before upgrade" \
  db-snapshot-001

# List snapshots
openstack volume snapshot list

# Create a volume from a snapshot
openstack volume create \
  --snapshot db-snapshot-001 \
  --size 10 \
  restored-volume

# Create a backup
openstack volume backup create \
  --name db-backup-001 \
  db-volume

# List backups
openstack volume backup list

# Restore from backup
openstack volume backup restore db-backup-001 db-volume

Volume Types and QoS

Volume types allow you to define different storage backends and Quality of Service (QoS) specifications.

# List volume types
openstack volume type list

# Create a volume with a specific type
openstack volume create \
  --size 50 \
  --type high-performance-ssd \
  fast-volume

# Show volume type details
openstack volume type show high-performance-ssd

Glance: Image Service

Glance manages virtual machine images. It supports various formats and can store images in different backends including Swift, Cinder, and local filesystem.

Image Management

# List images with details
openstack image list --long

# Download an image
openstack image save --file downloaded.img Ubuntu-20.04-LTS

# Update image properties
openstack image set Ubuntu-20.04-LTS \
  --property os_distro=ubuntu \
  --property os_version=20.04

# Share image with another project
openstack image add project Ubuntu-20.04-LTS other-project
openstack image set --accept Ubuntu-20.04-LTS

# Delete an image
openstack image delete old-image

Creating Images from Instances

# Create a snapshot image from a running instance
openstack server image create \
  --name my-custom-image \
  my-web-server

# Wait for the image to become active
openstack image list | grep my-custom-image

# Launch a new instance from the custom image
openstack server create \
  --flavor m1.small \
  --image my-custom-image \
  --key-name my-key \
  cloned-server

Swift: Object Storage

Swift provides eventually consistent distributed object storage. It's designed for storing large amounts of unstructured data like backups, archives, and media files.

Working with Containers and Objects

# Create a container
openstack container create backups

# List containers
openstack container list

# Upload an object
openstack object create backups backup-2024.tar.gz

# Upload multiple objects
openstack object create backups *.log

# List objects in a container
openstack object list backups

# Download an object
openstack object save backups backup-2024.tar.gz

# Delete an object
openstack object delete backups old-backup.tar.gz

# Delete a container (must be empty)
openstack container delete backups

Container Metadata and ACLs

# Set container to be publicly readable
openstack container set --property read='.r:*' public-content

# Set metadata on a container
openstack container set \
  --property X-Container-Meta-Owner="IT Department" \
  backups

# Show container details
openstack container show backups

# Set object metadata
openstack object set \
  --property Content-Type=application/gzip \
  backups backup-2024.tar.gz

Large Object Support

Swift can handle objects larger than 5GB using segmentation:

# Upload a large file (automatically segments it)
swift upload backups large-file.iso --segment-size 1073741824

# List segments
openstack object list backups_segments

Storage Best Practices

• Use Cinder for databases and applications requiring persistent storage
• Use Swift for backups, archives, and static content
• Take regular snapshots of critical volumes
• Store backups in Swift for cost-effective long-term retention
• Use volume encryption for sensitive data
• Monitor storage capacity and set up alerts
• Implement lifecycle policies for automated cleanup

Lesson 6: Networking and Production

Neutron: Networking as a Service

Neutron provides advanced networking capabilities for OpenStack. It enables creation of complex network topologies, manages IP addresses, and provides network services like load balancing and VPN.

Network Types

• Provider Networks: Mapped directly to physical networks
• Tenant Networks: Isolated virtual networks for projects
• External Networks: Networks with external internet connectivity
• Shared Networks: Networks accessible by multiple projects

Creating Networks and Subnets

# Create a private network
openstack network create private-net

# Create a subnet within the network
openstack subnet create private-subnet \
  --network private-net \
  --subnet-range 192.168.1.0/24 \
  --gateway 192.168.1.1 \
  --dns-nameserver 8.8.8.8

# List networks
openstack network list

# Show network details
openstack network show private-net

# List subnets
openstack subnet list

# Show subnet details
openstack subnet show private-subnet

Routers and External Connectivity

Routers connect different networks and provide gateway access to external networks.

# Create a router
openstack router create main-router

# Set the external gateway (connects to public network)
openstack router set main-router --external-gateway public

# Add an interface to connect to private network
openstack router add subnet main-router private-subnet

# List routers
openstack router list

# Show router details
openstack router show main-router

Floating IPs

Floating IPs are public IP addresses that can be dynamically assigned to instances for external access.

# List available floating IPs
openstack floating ip list

# Create/allocate a floating IP from external network
openstack floating ip create public

# Associate floating IP with an instance
openstack server add floating ip my-web-server 203.0.113.25

# Disassociate floating IP
openstack server remove floating ip my-web-server 203.0.113.25

# Delete/release floating IP
openstack floating ip delete 203.0.113.25

Complete Network Setup Example

# Complete workflow to give an instance internet access
# 1. Create network and subnet
openstack network create app-network
openstack subnet create app-subnet \
  --network app-network \
  --subnet-range 10.0.1.0/24 \
  --dns-nameserver 8.8.8.8

# 2. Create router and connect networks
openstack router create app-router
openstack router set app-router --external-gateway public
openstack router add subnet app-router app-subnet

# 3. Launch instance on the private network
openstack server create \
  --flavor m1.small \
  --image Ubuntu-20.04-LTS \
  --network app-network \
  --key-name my-key \
  --security-group default \
  app-server

# 4. Assign floating IP
FLOATING_IP=$(openstack floating ip create public -f value -c floating_ip_address)
openstack server add floating ip app-server $FLOATING_IP

# 5. Test connectivity
ping $FLOATING_IP
ssh -i my-key.pem ubuntu@$FLOATING_IP

Advanced Networking Features

Port Management

Ports represent virtual network interface cards (vNICs) attached to instances.

# List ports
openstack port list

# Create a port with specific IP
openstack port create \
  --network private-net \
  --fixed-ip subnet=private-subnet,ip-address=192.168.1.100 \
  web-port

# Launch instance with specific port
openstack server create \
  --flavor m1.small \
  --image Ubuntu-20.04-LTS \
  --port web-port \
  --key-name my-key \
  web-server-01

# Show port details
openstack port show web-port

Security Group Rules

# Create security group for database servers
openstack security group create db-servers \
  --description "Database tier security group"

# Allow MySQL from application subnet only
openstack security group rule create db-servers \
  --protocol tcp \
  --dst-port 3306 \
  --remote-ip 10.0.1.0/24

# Allow PostgreSQL
openstack security group rule create db-servers \
  --protocol tcp \
  --dst-port 5432 \
  --remote-ip 10.0.1.0/24

# Allow all traffic from same security group (inter-instance)
openstack security group rule create db-servers \
  --protocol any \
  --remote-group db-servers

Production Best Practices

1. High Availability

• Deploy instances across multiple availability zones
• Use server groups with anti-affinity policies
• Implement load balancing for application tiers
• Set up automated health checks and recovery

# Create server group with anti-affinity
openstack server group create \
  --policy anti-affinity \
  web-tier-group

# Launch instances in the server group
openstack server create \
  --flavor m1.small \
  --image Ubuntu-20.04-LTS \
  --hint group=web-tier-group \
  web-01

openstack server create \
  --flavor m1.small \
  --image Ubuntu-20.04-LTS \
  --hint group=web-tier-group \
  web-02

2. Security Hardening

• Use security groups to implement least privilege
• Disable password authentication (use key-based auth only)
• Keep security group rules as restrictive as possible
• Regularly rotate credentials and keys
• Enable encryption for volumes containing sensitive data
• Use private networks and jump hosts for internal resources

3. Resource Management

• Set project quotas to prevent resource exhaustion
• Use metadata and tags for resource organization
• Implement naming conventions for resources
• Regular cleanup of unused resources

# View project quotas
openstack quota show

# Set custom quotas for a project
openstack quota set \
  --instances 50 \
  --cores 100 \
  --ram 204800 \
  --volumes 100 \
  development

# Add metadata to resources
openstack server set \
  --property environment=production \
  --property team=engineering \
  web-server

4. Monitoring and Logging

• Monitor instance status and resource utilization
• Set up alerts for critical events
• Centralize logs for analysis
• Regular review of console logs and audit trails

# Get instance metrics
openstack server show web-server -f json

# View console output for troubleshooting
openstack console log show web-server --lines 50

# List recent events for an instance
openstack server event list web-server

5. Backup and Disaster Recovery

• Regular snapshots of critical instances
• Volume backups stored in Swift
• Document recovery procedures
• Test restore processes regularly
• Consider cross-region replication for critical data

# Automated backup script example
#!/bin/bash
DATE=$(date +%Y%m%d)

# Create instance snapshot
openstack server image create web-server --name "web-backup-$DATE"

# Create volume backup
openstack volume backup create \
  --name "db-backup-$DATE" \
  --force \
  db-volume

# List backups older than 30 days and delete
openstack volume backup list -f json | \
  jq -r '.[] | select(.created_at | fromdateiso8601 < (now - 2592000)) | .id' | \
  xargs -I {} openstack volume backup delete {}

6. Cost Optimization

• Right-size instances based on actual usage
• Delete unused floating IPs and volumes
• Use appropriate storage tiers
• Schedule non-critical instances to run only when needed

Troubleshooting Common Issues

# Check instance status
openstack server show web-server --diagnostics

# Verify network connectivity
openstack port list --server web-server

# Check security group rules
openstack security group show default

# View compute service status
openstack compute service list

# Check network agent status
openstack network agent list